Partial validation of configurations at runtime

ABSTRACT

A system configuration is partially validated in response to requested changes to the system configuration. First, a reduced set of constraints is identified among a plurality of constraints of the system configuration. The reduced set of constraints place restrictions on attribute values and relations of changed entities to which the requested changes are applied. Each constraint of the reduced set is categorized based on leadership information that indicates an impact that a changed entity has on another entity with respect to the constraint. Each categorized constraint of the reduced set is validated to determine whether to accept, reject or modify the system configuration having the requested changes.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Application No. 62/085,304 filed on Nov. 27, 2014.

TECHNICAL FIELD

Embodiments of the invention relate to runtime system configuration management.

BACKGROUND

A system configuration is a set of configuration entities, and their relations to each other. The configuration defines the arrangement and the order that the system is to obey. At runtime the configuration may need to be modified by different actors to meet certain/new requirements or respond to performance degradations or upgrade purposes. The reconfiguration has to respect the consistency rules of the configuration to avoid service outage. The consistency rules include a set of structural integrity requirements and application/domain constraints.

The capability of runtime configuration validation is a prerequisite for self-managing systems with dynamic reconfiguration capabilities (e.g., the cloud) as these systems need to detect any potential inconsistencies. The capabilities of runtime validation and dynamic reconfiguration are especially needed in systems with high availability (HA) requirements. It is not acceptable to shut down or restart HA systems due to the need for validation and/or reconfiguration.

Preserving the configuration consistency is a main functionality of a validation module of a system. It is desired that real-time systems provide this functionality at runtime with minimal overhead, e.g., by performing the minimum needed checks. However, configurations may consist of hundreds of entities, with complex relations and constraints. Thus, validation time can grow to the extent that it becomes impractical to perform runtime configuration validation.

In this context, most of the research studies focus on the structural checking of the functional configuration parameters (e.g., type correctness, checking the validity of the values of the system entities' attributes with respect to the constraints of each entity and the relation between the entities). These solutions either are platform-dependent or focus on the correctness of the runtime validation.

SUMMARY

There is a need for a low-overhead runtime validation mechanism to check the modifications against the consistency rules of the system. In one embodiment, a method is provided for validating a system configuration by partially validating requested changes to the system configuration. The method comprises: identifying a reduced set of constraints among a plurality of constraints of the system configuration, wherein the reduced set of constraints place restrictions on attribute values and relations of changed entities to which the requested changes are applied; categorizing each constraint of the reduced set based on leadership information that indicates an impact that a changed entity has on another entity with respect to the constraint; and validating each categorized constraint of the reduced set to determine whether to accept, reject or modify the system configuration having the requested changes.

In another embodiment, a system is provided for validating a system configuration by partially validating requested changes to the system configuration. The system comprises: a memory and processing circuitry coupled to the memory. The processing circuitry is adapted to: identify a reduced set of constraints among a plurality of constraints of the system configuration, wherein the reduced set of constraints place restrictions on attribute values and relations of changed entities to which the requested changes are applied; categorize each constraint of the reduced set based on leadership information that indicates an impact that a changed entity has on another entity with respect to the constraint; and validate each categorized constraint of the reduced set to determine whether to accept, reject or modify the system configuration having the requested changes.

In yet another embodiment, a system is provided for validating a system configuration by partially validating requested changes to the system configuration. The system comprises: an identifying module adapted to identify a reduced set of constraints among a plurality of constraints of the system configuration, wherein the reduced set of constraints place restrictions on attribute values and relations of changed entities to which the requested changes are applied; a categorizing module adapted to categorize each constraint of the reduced set based on leadership information that indicates an impact that a changed entity has on another entity with respect to the constraint; a validating module adapted to validate each categorized constraint of the reduced set to determine whether to accept, reject or modify the system configuration having the requested changes.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a model based framework for managing changes to a system configuration according to one embodiment.

FIG. 2 illustrates a Pet Store example and its deployment according to one embodiment.

FIG. 3 illustrates the relation between the entities of a simplified domain model according to one embodiment.

FIG. 4 illustrates an extension of constraints with leadership information according to one embodiment.

FIG. 5 illustrates a change profile and an example change model according to one embodiment.

FIG. 6 illustrates an example of filtering transformation and categorization according to one embodiment.

FIG. 7 illustrates a method for validating a system configuration according to one embodiment.

FIG. 8 illustrates a system for validating a system configuration according to one embodiment.

FIG. 9 illustrates a computer system for validating a system configuration according to one embodiment.

DETAILED DESCRIPTION

In the following description, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In other instances, well-known circuits, structures and techniques have not been shown in detail in order not to obscure the understanding of this description. It will be appreciated, however, by one skilled in the art, that the invention may be practiced without such specific details. Those of ordinary skill in the art, with the included descriptions, will be able to implement appropriate functionality without undue experimentation.

In some alternate implementations, the functions/acts may occur out of the order noted in the sequence of actions. Furthermore, in some illustrations, some blocks may be optional and may or may not be executed.

Embodiments of the invention provide a model based approach to configuration management, with partial validation of the configuration to reduce the validation time and overhead. The output of the partial validation serves as input for an auto-adjustment function module which performs corrective actions to remove the potential inconsistencies.

The partial validation described herein is performed at runtime. Runtime reconfigurations, either proposed as a change of a single system entity or as a bundle of changes affecting a number of entities, often target only parts of the configuration. Thus, when the changes impact a limited portion of the configuration, partial validation is sufficient for validating a runtime reconfiguration and guarantees the consistency of the configuration in the same way as complete validation does. Partial validation not only guarantees the correctness of the changed configuration with respect to the consistency rules, but also performs a minimal checking to keep the validation time acceptable for the system especially in real-time or highly available systems.

The following description presents a configuration management framework and explains the role of partial validation for dynamic reconfiguration in this framework. One solution for partial validation, as described herein, follows the model driven paradigm using a Unified Modeling Language (UML) profile and Object Constraint Language (OCL) constraints.

In systems where the configuration generation and maintenance follow a systematic approach, a configuration schema is used to specify the structure of the system configuration entities and their relations. In one embodiment, a configuration schema can be defined using a Domain Specific Language (DSL) or a general purpose modeling language. In one embodiment, the UML and its profiling mechanism are chosen for defining the configuration schema, although in alternative embodiments different languages and profiling mechanisms may be used. The consistency rules coming from the application domain may be expressed as constraints. The constraints restrict the entities and their relations by governing both their structure and behavior to preserve the well-formedness of the configuration model. The consistency rules of the system configuration can be captured using the OCL and added to the configuration profile. A valid configuration model conforms to the configuration profile; therefore, the validity of the configuration model is checked against this configuration profile.

According to an embodiment, the OCL is extended with role definitions. These roles are defined for the entities participating in an OCL constraint. The extensions provide information about the roles of the constrained entities of a constraint with respect to each other. This information, in turn, allows filtering and categorizing the constraints of the configuration profile with respect to a modification request. By selecting only the relevant constraints (i.e., relevant to the changed entities), the number of constraints needing to be checked is reduced. Thus, validation time and overhead are reduced compared to a complete validation, in which all constraints are checked.

A system configuration is a set of configuration entities and their relations to each other. These configuration entities are logical representations of the system resources. The configuration defines the arrangement and the order that the system obeys. The definition and granularity of the configuration entities depend on the system domain and its requirements. Components, groups of components, sub-systems, virtual machines, and hardware elements are examples of the resources the configuration entities represent. A configuration schema can be used to define the correct structure of the configuration entities and their relations at a higher level of abstraction. A system's configuration is an instance of this schema. The consistency rules are restrictions imposed on the configuration entities and the relations between them. They may also represent semantics of the application domain. The rules are part of the schema. A configuration is considered valid and correct if it respects its schema.

In HA systems, configuration change requests may come at runtime from different actors. These requests cause the system configuration to be changed. The changes are validated before being applied to the system such that the consistency of the configuration is not violated and negative impacts on the system can be avoided.

In one embodiment, the validation takes place in two steps: the Legitimacy check and the Integrity check. Both aim to find the rules that are violated by the requested changes. The difference between the two is the type of the constraints they check. If a Legitimacy rule is violated by the requested modification, the modification is rejected immediately. A successful Legitimacy check is followed by the Integrity check. Violating an Integrity rule does not result in an immediate rejection of the modification request. The reason is that the change may be incomplete and the inconsistency might be resolved by an auto-adjustment agent (also referred to as an adjustment agent). The auto-adjustment agent attempts to resolve the Integrity rule violation through additional modifications that satisfy the Integrity and Legitimacy rules by construction. Because the violated rules are the basis of the auto-adjustment of the configuration, the additional modifications are safe and sufficient. Thus, no further checks are needed after the auto-adjustment.

The runtime configuration validation is performed to facilitate dynamic reconfigurations. The validation process identifies the violated rules and the affected entities. The auto-adjustment agent uses this information to find a resolution.

FIG. 1 illustrates a model based framework 100 for managing changes to a system configuration 140 according to one embodiment. The framework 100 includes a configuration validator 110 to validate the change requests submitted by an administrator or management applications 160. The framework 100 also includes an adjustment agent 120 that finds complementary modifications, if any exist, to resolve the potential inconsistencies detected by the validator 110. In one embodiment, the system configuration 140 may be validated by the validator 110 using a partial validation approach, which prunes unnecessary constraints and thus reduces the cost and time of validation. The result of the partial validation may be used by the adjustment agent 120, which, whenever possible, automatically adjusts the configuration in case of detecting constraint violations.

The system configuration model used for the configuration change management is briefly explained below. In one embodiment, the UML and its profiling mechanism are used to define a configuration schema, which captures the concepts and relations of the system configuration 140 in a system configuration profile 130. System constraints, in the form of consistency rules 150, are added to the profile 130 as OCL constraints to capture the semantics and additional restrictions. The relations and dependencies between the configuration entities or attributes indicate that some of them have a determining role and lead the others especially during configuration changes. In one embodiment, the constraints may be enriched by adding the leadership information to express the way the constrained entities may impact each other. More specifically, the leader, follower, and peer roles are defined for the constrained entities to indicate the influence of the entities on each other, e.g., in a constraint the leader entities have influence over the other follower entities. In other constraints, peer entities have equal effect on each other. In one embodiment, the consistency rules 150 include three categories of constraints, LConstraints, FConstraints and PConstraints, where the prefix “L” represents the leader, “F” represents the follower and “P” represents the peer. The formation of the three constraint categories will be explained in further detail in connection with FIG. 6 and Algorithm_1.

In the following, an extension to the constraints and the use of the extension in the validation process are explained. The constraints are restrictions on the attribute values of the configuration entities, their behaviors and relations. They are defined when the configuration schema is designed to reflect the requirements of the system or application domain. Subsequently, they are taken into account in the configuration generation process to ensure the consistency of the resulting configuration.

OCL is a declarative language that describes the constraints for UML models and profiles. It specifies what conditions are to be met by the entities involved in the OCL expressions rather than defining how it is achieved. Although the standard OCL is suitable for many applications, it may sometimes be insufficient. Therefore, it is useful to extend OCL to add more information to the constraints. The configuration constraints can also be enriched by OCL extension. A constraint places some restriction on an entity or entities. The roles of these entities may not be equal, that is, some entities in the constraint can have influence over the others. These dominant and dominated roles of entities in a constraint cannot be expressed by standard OCL. However, knowing these roles can help in identifying the constraints that need to be checked and the order in which they need to be checked.

An example explaining the leadership concept and constraints is provided below, before further details of FIG. 1 are described. To demonstrate the extension to the OCL constraints and its usage, an example is presented in relation to the Open Virtualization Format (OVF) defined by the Distributed Management Task Force (DMTF). OVF is a packaging standard, which describes an extensible format for packaging and distribution of software products for virtual systems. It enables the cross-platform portability by allowing software vendors to create a single, pre-packaged appliance. Different choices of virtualization platforms for running the packaged appliance are therefore available.

FIG. 2 illustrates a Pet Store example and its deployment according to one embodiment. The upper part of FIG. 2 shows the structure of a simple two-tiered Pet Store example. It consists of a Web Tier 210 and a Database (DB) Tier 220. The Web Tier 210 includes one Virtual System (Web Server) and the DB Tier 220 includes two Virtual Systems (DB1, and DB2) for fault tolerance. Three Virtual Systems (Web Server, DB1, and DB2) and three Virtual System Collections (Pet store, Web Tier 210, and DB Tier 220) are included in the Pet Store OVF package.

The OVF package definition allows for the specification of proximity requirements for the deployment of Virtual Systems in a given scope (e.g., host, rack, etc.) through the definition of Placement Group policies for the Virtual Systems and Virtual System Collections:

Affinity Policy: It is used to specify that two or more Virtual Systems are to be deployed closely together, because, for example, they need fast communication.

Availability Policy: It is used to specify that two or more Virtual Systems are to be deployed separately because of HA or disaster recovery considerations.

For instance, in the illustrated Pet Store example of FIG. 2, the DB Virtual Systems are to be deployed on different hosts for fault tolerance. Thus, the PG1 Placement Group with the availability policy is specified for the Virtual System Collection of the DB Tier 220. PG1 is defined as a property of the DB Tier 220. On the other hand, the DB2 and Web Server Virtual Systems are to be deployed on the same host for fast communication; the PG2 Placement Group with affinity policy is specified for the two Virtual Systems. Similarly, PG2 is defined as a property for the DB2 and the Web Server Virtual Systems.

FIG. 3 illustrates the relation between the entities of a simplified OVF domain model 300 according to one embodiment. The restrictions that the policies are imposing on the deployment of Virtual Systems can be expressed with OCL constraints 310 and 320 included in the figure.

It is noted that OVF allows defining a combination of availability and affinity policies for the Virtual Systems and their Collections. Referring again to the bottom part of FIG. 2, at deployment time the Virtual Systems with their Placement Groups dictate how they are to be deployed on the Hosts. Note that the Placement Group may be defined for the Virtual System (e.g., in the Web Server Virtual System) or inherited from the parent Virtual System collection (e.g., DB1 Virtual System) or a combination of these two cases (e.g., DB2 Virtual System). The DB Tier 220 has a Placement Group PG1 which itself has the “availability” policy, thus all the Virtual Systems of DB Tier 220 (DB1, DB2) are to be hosted on different Hosts (Host1 and Host2). On the other hand, the Placement Group (PG2) defined for Virtual Systems of DB2 and Web Server has the “affinity” policy; thus the two Virtual Systems are to be placed on the same Host (Host2). An OCL constraint can capture part of the restrictions on the relation between the Virtual Systems and their Host(s) imposed by the Placement Group policies. However, an OCL constraint (without the extensions) cannot capture the role of the Virtual Systems in the constraint as the ones which affect the Host entity selection.

According to one embodiment, an extension to OCL is provided by defining roles for the constrained entities to show the influence of some entities over others in the constraint. Considering the semantic of the relations between the entities, a leadership flow can be identified between them. In other words, in a constraint with multiple entities involved, changes in some entities may impact the others.

In the example of FIG. 2, there is a constraint between the Virtual System and the Host entities. The Virtual System entity is the one that has the Leader role and drives the Host entity; that is, the Follower. This means that if the Virtual System entity (including its Placement Group) changes and the constraint becomes violated, the Host of the Virtual System needs to change to follow the Virtual System change in order to satisfy the constraint. On the other hand, if the Host of the Virtual System tries to change and this change violates the constraint, the Virtual System and its Placement Group cannot be changed as the role semantic does not allow the leader entity to adjust to the changes of the follower entities. For instance, in the Pet Store example the DB Tier 220 (i.e., DB1, DB2) and the Web Server are the leader entities while Host1 and Host2 are the followers. Assume that Host1 fails. Since PG1 does not allow the collocation of DB1 and DB2, DB1 cannot be re-deployed. On the other hand if the Placement Group of the DB Tier is changed from PG1 to PG2, this change of the leader results in changing the Host entity (follower) which means now DB1 and DB2 are to be placed on the same Host (e.g., Host1 or Host2).

The role definitions for the entities depend on the semantic of the relation. Thus, for some constraints the entities may have equal influence over each other. Such entities are called Peer entities.

FIG. 4 illustrates an extension 450 of the constraints with the leadership information according to one embodiment. This extension 450 is added to the OCL to enrich the constraints without changing the internal OCL grammar and metamodel, so the parsers and validators designed for the standard OCL remain usable. The OCL with the extension is hereinafter referred to as a constraint profile 400. The following description explains how the constraint profile 400 is used for partial validation.

It is worth mentioning that the roles of the constrained entities may change with the application scenario. More specifically, the leader/follower/peer roles may be defined for the entities for the initial design time of a configuration to meet the setup and deployment requirements (e.g., similar to the Pet Store example). However, after the system is deployed and the requirements change, the allowable changes may be limited. For example, due to budget reasons, no new hosts can be added to the system and, as a result, the Virtual Systems (including the software products) need to adapt and follow the Host restrictions in this respect. This means that now the Host entity becomes a leader and the Virtual System and Virtual System collection become followers, although the standard portion of the OCL constraint between them remains unchanged. Defining the roles for the entities through the leadership information has the advantage that the roles can be defined and changed whenever necessary without affecting the constraints themselves.

A partial validation approach is presented in the following description. To validate a configuration model, its conformance to the configuration profile is checked. The profile defines the stereotypes, their relations (i.e., the structure of the model) along with a set of constraints over these stereotypes and relations, which assure well-formedness. Conventionally, when a request for changing some entities of the configuration model is received, the whole model is checked to make sure that the modified model respects the structure and the constraints of its profile. This full validation can be a time and resource consuming process. Such overhead is not desirable in live systems, especially if they are real-time or highly available systems. To reduce the overhead and improve the system performance, a partial validation is performed that minimizes the number of constraints and/or configuration entities to be checked. In one approach, the number of constraints to be checked is minimized based on the requested changes. This also leads to the reduction of the number of configuration entities that need to be checked. This is because the validator 110 (FIG. 1) checks only the entities whose stereotypes are involved in the selected constraints. This new set of configuration entities include at least the changed entities and the ones related to them through their constraints. It is noted that the constraints are validated for all relevant entities of the modified system configuration. This is because the constraints are defined at the metamodel level, while the configuration is at the model level and can have multiple instances of each stereotype.

Validation overhead can be reduced when the constraint and entity selection time is negligible compared to the time saving achieved by partial validation. However, in cases where the modification request includes entities of many different stereotypes, the number of constraints that need to be selected is considerable and the constraint selection may not be worthwhile anymore. Another case when partial validation is less efficient is when a few constraints are selected to be checked against a large number of configuration entities composing the major part of the configuration. Thus, a threshold may be identified at which, for a set of changes, the time needed for the constraint and entity selection for the partial validation and the partial validation itself exceeds the time of a full validation. This threshold depends on several factors such as the size of the configuration model, the number of instances of each stereotype, and the number of constraints. In some cases, the partial validation that uses constraint selection alone is already more efficient than full validation.

The constraint selection is based on the modification request and it provides that only the relevant constraints are selected for checking. The constraints are filtered to form a reduced set of constraints, and the selected constraints are categorized based on the role of the changed entities in the constraints.

In one embodiment, leadership information that was added to the constraints may be used to filter the constraints such that the reduced set of constraints can be identified. The filtering is based on the modification request of a system actor. Assume that a request may consist of many changes, each of which applies to one or more entities of the configuration model. These changes are called the change set. The configuration entities of the change set can be represented in a model that conforms to a change profile. FIG. 5 illustrates a change profile 500 and an example change set according to one embodiment. The change profile 500 has a stereotype called CEntity 510 which extends the NamedElement metaclass of UML. The CEntity stereotype 510 is to represent those entities of the configuration model that are requested to be changed. In the Pet Store example of FIG. 2, the configuration model may have an entity called Web Server which needs to be changed (updated), and another entity called DB1 which needs to be deleted. A change model 550 represents the needed changes to the configuration model. The operation requested on the model entities is represented by Operation stereotype 520 in the change profile 500. It is specialized as the Add, Update, and Delete stereotypes. Regardless of the requested operation, the constraints in which the entity is involved are checked. Such a change model 550 is one of the inputs to the constraint filtering process.

Having the change model 550 and the configuration profile (e.g., the system configuration profile 130 of FIG. 1), the stereotypes applied on each changed entities can be identified, which are the stereotypes of the configuration profile and also the CEntity stereotype 510. For the validation, these stereotypes of the configuration profile are considered. The constraints of the configuration profile are defined over these stereotypes and their roles are captured through the leadership concept. Therefore, by looking up the stereotypes of the changed entities, the validator 110 of FIG. 1 can select the constraints of the configuration profile that have the same stereotypes as the stereotypes applied to the entities of the change model 550 and that include the leadership role in the profile.

Algorithm_1 describes a filtering process and the categorization of the filtered constraints according to the role of the changed entities in the constraints. The output of the algorithm are the filtered and categorized constraints. The algorithm starts with four empty sets (models): A, LConstraintModel, FConstraintModel, PConstraintModel. Set A collects the stereotypes of all changed entities (lines 6 to 8). For each constraint in the ConstraintModel, its LeadershipInfo is considered and the Leader/Follower/Peer stereotypes are compared with the stereotypes of set A. If a common stereotype is found, then the constraint is added to one of the sets of LConstraintModel, FConstraintModel, PConstraintModel, while making sure each constraint is added only to one of the output constraint models (line 10 to 19).

The filtering process of Algorithm_1 can be implemented using a transformation model. An example of Filtering Transformation 600 is illustrated in FIG. 6, according to one embodiment. The filtering transformation 600 not only filters the constraints but also categorizes the filtered constraints based on the roles of the changed entities in the constraints. More specifically, the filtering transformation 600 takes a change model 610, a constraint model 620, and a configuration profile 650 as input, and selects (i.e., filters) the relevant constraints and classifies them into the three constraint models (LConstraintModel 621, FConstraintModel 622, PConstraintModel 623) as output. The change model conforms to a change profile 630. The constraint model 620, LConstraintModel 621, FConstraintModel 622, and PConstraintModel 623 conform to a constraint profile 640.

Algorithm_1 Filtering and Categorizing the constraints Input: ConfigurationProfile, ConstraintModel, ChangeModel Output: LConstraintModel, FConstraintModel, PConstraintModel  1: A := { }  2: LConstraintModel:= { }  3: FConstraintModel:= { }  4: PConstraintModel:= { }  5: // Find all the stereotypes applied to the entities of the ChangeModel  6: for each ENTITYj in ChangeModel do  7:  A:= A ∪{ENTITYj.getAppliedStereotypes( )}  8: end for  9: //Filtering and categorizing constraints of the ConstraintModel  10:for each CONSTRAINTi in ConstraintModel do  11: K:=CONSTRAINTi->LeadershipInfo  12: if {K.Leader}∩ A ≠ { } then  13:  LConstraintModel:= LConstraintModel∪ {CONSTRAINTi}  14: else if {K.Follower}∩ A ≠ { } then  15:  FConstraintModel := FConstraintModel∪ {CONSTRAINTi}  16: else if {K.Peer}∩ A ≠ { } then  17:  PConstraintModel := PConstraintModel∪ {CONSTRAINTi}  18: end if  19: end for

If the applied stereotype on a changed entity (in the change model 610) has a leader role in a constraint, that constraint is added into the LConstraint category. Similarly, if the stereotype of another changed entity has the follower role in a constraint, that constraint is added to the FConstraint category. The PConstraint category is defined similarly for the constraints whose entities have a peer role in the constraint and also appear in the change model 610. This categorization is shown in the example of FIG. 6.

In one embodiment, the three constraint categories do not have any intersection (i.e., no common constraint between each two categories). Otherwise, if a constraint happens to be in two categories, the validation process would check the constraint twice and would contradict with reducing the number of constraint checking. Therefore, in cases where a constraint can be categorized in more than one category, a choice of only one category is made. An example of such a case is when both the leader and follower entities of a constraint are changed within the same change set. For instance in the Pet Store example, when a request changes an instance of the DB Tier 220 (leader) and an instance of the Host (follower) in the same change set. In cases where both the leader and follower entities of the constraint are changed within the same change set, the constraint can be categorized as FConstraint and as LConstraint and added to both. To avoid having duplicate constraints in the categories, the constraint is added to only one of the constraint categories. In one embodiment, such constraints are added to the LConstraint category because at least one leader entity is involved and in case of constraint violation its follower(s) can be adjusted to satisfy the constraint.

Referring again to FIG. 1, after the constraint categorization, the validator 110 starts the validation by checking the most restrictive category, i.e., FConstraints (block 111). This operation is also referred to as the Legitimacy Check of the configuration management. If a violation occurs in FConstraints, the validation is stopped and the changes are rejected. This is because the FConstraints set collects the constraints for the changes of follower entities only, and follower entities cannot impact the leader entities. On the other hand, a violation of LConstraints and/or PConstraints still allows for the adjustment of the changed configuration by modifying the respective follower or peer entities of the LConstraints or PConstraints. After validating the FConstraints, the validator 110 checks the LConstraints and PConstraints (block 112). This operation is also referred to as the Integrity Check of the configuration management. As mentioned previously, a failed Integrity Check may be resolved by auto-adjustment of the configuration.

If the validator 110 finds no constraint violation in any of the three constraint categories, the requested changes are applied to the system configuration 140. If any constraint violation is found in the LConstraints or PConstraints categories, the adjustment agent 120 uses the leadership information defined in the consistency rules 150 to determine whether an adjustment can be made to the system configuration to resolve the violation. If valid modifications can be found, the adjustment agent 120 applies the modification to the system configuration 140. Otherwise, the requested changes are rejected.

A partial validation approach has been described. In the partial validation, the constraints are filtered based on the change request. The filtered constraints include only those constraints whose constrained entities are changed in the change request. Thus, the partial validation can achieve better performance compared to the full validation by reducing the validation time. The filtered constraints can be also categorized according to the roles of the changed entities in the constraint. With the categorization, potential inconsistencies that can be handled by auto-adjustment and those which cannot be resolved by auto-adjustment can be distinguished.

The model based framework 100 (FIG. 1) has at least the following advantages. By selecting only the constraints that are relevant to the changed entities, the number of constraints needed to be checked is reduced, which results in reduction of validation time and overhead compared to the complete validation. In addition, for self-managing systems, the framework 100 is capable of identifying all the constraints necessary to keep the system configuration consistent. The adjustment agent 120 attempts to resolve the Integrity rule violation through additional modifications that satisfy the Integrity and Legitimacy rules by construction.

FIG. 7 is a flow diagram illustrating a method 700 for validating a system configuration by partially validating requested changes to the system configuration according to one embodiment. The method 700 begins at step 710 when a system (e.g., the framework 100 of FIG. 1) identifies a reduced set of constraints among a plurality of constraints of the system configuration. The reduced set of constraints places restrictions on attribute values and relations of changed entities to which the requested changes are applied. At step 720, the system categorizes each constraint of the reduced set based on leadership information. The leadership information indicates an impact that a changed entity has on another entity with respect to the constraint. At step 730, the system validates each categorized constraint of the reduced set to determine whether to accept, reject or modify the system configuration having the requested changes.

FIG. 8 illustrates a system 800 for validating a system configuration by partially validating requested changes to the system configuration according to one embodiment. In one embodiment, the system 800 includes an identifying module 810 adapted or operative to identify a reduced set of constraints among a plurality of constraints of the system configuration, wherein the reduced set of constraints places restrictions on attribute values and relations of changed entities to which the requested changes are applied. The system 800 also includes a categorizing module 820 adapted or operative to categorize each constraint of the reduced set based on leadership information that indicates an impact that a changed entity has on another entity with respect to the constraint. The system 800 further includes a validating module 830 adapted or operative to validate each categorized constraint of the reduced set to determine whether to accept, reject or modify the system configuration having the requested changes.

FIG. 9 illustrates a computer system 900 within which a set of instructions, for causing the machine to perform any one or more of the methodologies, e.g., methods, algorithms, steps or logic, discussed herein, may be executed. In one embodiment, the computer system 900 may be part of a networked system, and/or operate in a cloud computing environment where multiple server computers in one or more service centers collectively provide computing services on demand. While only a single machine is illustrated, the term “machine” shall also be taken to include any collection of machines (e.g., computers) that individually or jointly execute one or more sets of instructions to perform any one or more of the methodologies discussed herein.

The computer system 900 includes processing circuitry 902, such as one or more general-purpose processors, each of which can be: a microprocessor, a central processing unit (CPU), a multicore processor, or the like. The processing circuitry 902 may also be one or more special-purpose processing devices such as an application-specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. In one embodiment, the processing device 902 is adapted or operative to execute the operations of a model based framework (e.g., the framework 100 of FIG. 1), which contains instructions executable by the processing circuitry 902 to perform the method 700 of FIG. 7.

In one embodiment, the processor circuitry 902 is coupled to one or more memory devices such as: a main memory 904 (e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM), etc.), a secondary memory 918 (e.g., a magnetic data storage device, an optical magnetic data storage device, etc.), and other forms of computer-readable media, which communicate with each other via a bus or interconnect 930. The memory devices may also include different forms of ROMs, different forms of random access memories (RAMs), static random access memory (SRAM), or any type of media suitable for storing electronic instructions. In one embodiment, the memory devices may store the code and data of the framework 100, which may be entirely or partially stored in one or more of the locations shown as dotted boxes and labeled by the reference numeral 100, or in other location(s) not shown in FIG. 9. 

1. A method for validating a system configuration by partially validating requested changes to the system configuration, the method comprising: identifying a reduced set of constraints among a plurality of constraints of the system configuration, wherein the reduced set of constraints place restrictions on attribute values and relations of changed entities to which the requested changes are applied; categorizing each constraint of the reduced set based on leadership information that indicates an impact that a changed entity has on another entity with respect to the constraint; and validating each categorized constraint of the reduced set to determine whether to accept, reject or modify the system configuration having the requested changes.
 2. The method of claim 1, wherein the leadership information further indicates a leadership role of the changed entity in the constraint and the leadership role is one of a leader, a follower and a peer.
 3. The method of claim 1, wherein categorizing each constraint of the reduced set further comprises: categorizing each constraint of the reduced set into one of a leader category, a follower category and a peer category according to a leadership role of the changed entity in the constraint.
 4. The method of claim 3, further comprising: rejecting the requested changes in response to a determination that a categorized constraint in the follower category is violated by the requested changes.
 5. The method of claim 3, further comprising: if none of the categorized constraints in the follower category are violated by the requested changes, determining whether at least one of the categorized constraints in the leader category or the peer category is violated by the requested changes.
 6. The method of claim 5, further comprising: if none of the categorized constraints in the follower category are violated by the requested changes, and at least one of the categorized constraints in the leader category or the peer category is violated by the requested changes, identifying a set of violated constraints and affected entities in the system configuration and marking the violated constraints as potential violation.
 7. The method of claim 1, further comprising: accepting the requested changes in response to a determination that none of the categorized constraints are violated by the requested changes.
 8. The method of claim 1, wherein identifying a reduced set of constraints further comprises: identifying stereotypes of the changed entities, wherein the stereotypes are a representation of the changed entity at a metamodel level of the system configuration; and adding a given constraint to the reduced set of constraints if the leadership information of the given constraint includes one of the identified stereotypes.
 9. The method of claim 1, wherein categorizing each constraint of the reduced set further comprises: adding each categorized constraint into only one category when the categorized constraint places a restriction on a number of changed entities that have different leadership roles in the categorized constraint.
 10. The method of claim 1, wherein the requested changes applied to the changed entities include one or more of an add operation, a remove operation and an update operation.
 11. A system for validating a system configuration by partially validating requested changes to the system configuration, comprising: a memory; and processing circuitry coupled to the memory, the processing circuitry adapted to: identify a reduced set of constraints among a plurality of constraints of the system configuration, wherein the reduced set of constraints place restrictions on attribute values and relations of changed entities to which the requested changes are applied; categorize each constraint of the reduced set based on leadership information that indicates an impact that a changed entity has on another entity with respect to the constraint; and validate each categorized constraint of the reduced set to determine whether to accept, reject or modify the system configuration having the requested changes.
 12. The system of claim 11, wherein the leadership information further indicates a leadership role of the changed entity in the constraint and the leadership role is one of a leader, a follower and a peer.
 13. The system of claim 11, wherein the processing circuitry is further adapted to: categorize each constraint of the reduced set into one of a leader category, a follower category and a peer category according to a leadership role of the changed entity in the constraint.
 14. The system of claim 13, wherein the processing circuitry is further adapted to: reject the requested changes in response to a determination that a categorized constraint in the follower category is violated by the requested changes.
 15. The system of claim 13, wherein the processing circuitry is further adapted to: if none of the categorized constraints in the follower category are violated by the requested changes, determine whether at least one of the categorized constraints in the leader category or the peer category is violated by the requested changes.
 16. The system of claim 15, wherein the processing circuitry is further adapted to: if none of the categorized constraints in the follower category are violated by the requested changes, and at least one of the categorized constraints in the leader category or the peer category is violated by the requested changes, identify a set of violated constraints and affected entities in the system configuration and marking the violated constraints as potential violation.
 17. The system of claim 11, wherein the processing circuitry is further adapted to: accept the requested changes in response to a determination that none of the categorized constraints are violated by the requested changes.
 18. The system of claim 11, wherein the processing circuitry is further adapted to: identify stereotypes of the changed entities, wherein the stereotypes are a representation of the changed entity at a metamodel level of the system configuration; and add a given constraint to the reduced set of constraints if the leadership information of the given constraint includes one of the identified stereotypes.
 19. The system of claim 11, wherein the processing circuitry is further adapted to: add each categorized constraint into only one category when the categorized constraint places a restriction on a number of changed entities that have different leadership roles in the categorized constraint.
 20. The system of claim 11, wherein the requested changes applied to the changed entities include one or more of an add operation, a remove operation and an update operation.
 21. A system for validating a system configuration by partially validating requested changes to the system configuration, comprising: an identifying module adapted to identify a reduced set of constraints among a plurality of constraints of the system configuration, wherein the reduced set of constraints place restrictions on attribute values and relations of changed entities to which the requested changes are applied; a categorizing module adapted to categorize each constraint of the reduced set based on leadership information that indicates an impact that a changed entity has on another entity with respect to the constraint; and a validating module adapted to validate each categorized constraint of the reduced set to determine whether to accept, reject or modify the system configuration having the requested changes. 